new DNS forwarder vulnerability
mysidia at gmail.com
Sat Mar 15 11:38:11 UTC 2014
On Fri, Mar 14, 2014 at 5:06 PM, Wayne E Bouchard <web at typo.org> wrote:
> Have we ascertained if there is a typical configuration adjustment
> that can be made to reduce or eliminate the likelihood of impact?
I think your best tactic is: Provide specified DNS resolver cache servers.
Don't use CPEs for DNS forwarders.
The trouble is.... a CPE's management/locally-bound IP address is in many
cases... often the same IP address that is a NAT address shared with user
traffic; instead of a dedicated separate IP address that traffic can be
managed and security controlled.
Providing you ensure that the CPE's IP bound address is not overloaded or
shared with user traffic ---- you might try firewalling destination port
53 to the CPE, except from the proper upstream DNS resolvers, since
nothing else should be "replying" to a DNS request made by the CPE.
Look into whether the CPE can use a different, lesser-used UDP port than
53 to forward DNS requests to; use device firewall rules or upstream ACLs
to limit which source IP addresses can talk to the service on the CPE's IP.
To ascertain effectiveness for a specific CPE, you would need to run a
sample exploit with a before and after test.
> (From the description it sounds as though this is not possible but it
> doesn't hurt to ask.)
More information about the NANOG